Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7767a49c510fffa…

MALICIOUS

PDF

167.6 KB Created: 2021-03-15 11:04:28 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-24
MD5: a5451d6b3d33a5699ddf1ded2cb23163 SHA-1: 150aeabe7fad31804ff5033250bbda55c853d138 SHA-256: e7767a49c510fffa110bbdd5ecd97e6b1c90f08a87160b0f6877f691289b2a8a
134 Risk Score
Tags
free-cdn-ebook-manual-lure

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by ClamAV and an ML classifier. The file embeds a large number of external links characteristic of an SEO link farm and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9922

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://baarspo.ru/wix?keyword=galaxy+s6+themes+apk PDF link annotation
    • http://webdefilmizle.com/what_is_the_infancy_gospel_of_thomasug5ev.pdfIn PDF document text
    • http://vodoroding.info/jimobejikewirexodorokunxdf0p.pdfIn PDF document text
    • http://vkrowl.com/price_of_skyworth_tv_in_nepalcs258.pdfIn PDF document text
    • http://sdl-trade.com/sawut4g396.pdfIn PDF document text
    • http://zootime.store/what_is_pr_communicationx3rgt.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://bojaxalajavog.epizy.com/autocad_electrical_3d_drawings.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d3ba4107-f625-4a3d-94c8-c5f2a083076f/dazanuwulozuveke.pdfIn PDF document text
    • https://s3.amazonaws.com/werowibovezoje/sheet_metal_die_maker_in_delhi.pdfIn PDF document text
    • https://s3.amazonaws.com/xidulumexi/xukuvivoxakomiluxifudodi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a1d9b5db-e0fc-4efa-b026-dc82ed60320d/ap_calculus_ab_practice_exam_2018_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/5ed01581-a2ac-4741-8512-ebdb1b5d36f8/rinozamip.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/660024c9-12bd-4240-8eb4-8aa2c6b4473e/dogunoko.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/09741b1d-041f-4f6b-af2b-259ba10fa150/wunusoxubira.pdfIn PDF document text
    • https://s3.amazonaws.com/wibedubosateg/5744857649.pdfIn PDF document text
    • http://gopudagob.epizy.com/4142728615.pdfIn PDF document text
    • https://s3.amazonaws.com/resixexi/78048689884.pdfIn PDF document text
    • http://keximatefabuzi.rf.gd/46491713791.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a0e81891-8ff8-4337-ad45-a1b707f740f1/can_i_get_fusion_360_for_free.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/88446464-90a0-45ff-bf7f-dba4720d7c19/the_mortal_instruments_city_of_bones_movie_2015.pdfIn PDF document text
    • http://rotitow.rf.gd/zivedelamozeneza.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0a6c2163-a3e2-4047-8451-16a239905a09/34991966982.pdfIn PDF document text
    • http://dejamatokato.rf.gd/broken_but_beautiful_movie_song_pagalworld.pdfIn PDF document text
    • https://s3.amazonaws.com/xifabilejilab/32306131173.pdfIn PDF document text
    • http://dekixugo.epizy.com/95912175550.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a30dccc1-ff5b-48ca-9b63-2d85e671c516/what_is_the_etymology_origin_of_the_word_dragonfly.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00020fd0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x20FD0 9956 bytes
SHA-256: 182ffdf6403417c17024e187e09e23eb18e2df886e9e3930b3d715335df8bfe8
font_01_sfnt_off000230d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x230D0 4904 bytes
SHA-256: 9b481d627d87e0897c02f0260c8357a32aacee0315ec56955b77464c233c327b
font_02_sfnt_off00024192.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24192 12336 bytes
SHA-256: bff8e0047e4799ea27f5243bf061622d6c5968ef5418d26b3b2c7b804489cce7
font_03_sfnt_off00026b76.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26B76 16272 bytes
SHA-256: caf5eb17723803c3ccdc723927c5eb2d689f25ae1c6c810163d99b26fa1f3a44
font_04_sfnt_off0002811a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2811A 4324 bytes
SHA-256: 1158d95dac44631f497756703988ba3645251422e7ff0015d3fca430225e7c3e

Open this report in the interactive analyzer, or submit your own file for analysis.